Staying Ahead of HIPAA

In a recent discussion with Pharmaceutical Commerce, Faisal Khan, a GRC solutions expert with Vanta, highlights how internal employee error continues to drive nearly half of all HIPAA-related data incidents. According to Khan, most of these breaches stem from fundamental lapses in access control and data management—specifically, employees having broader data access than their roles require. Without strict adherence to the principles of least privilege and role-based access control, sensitive patient health information (PHI) can easily be exposed, misused, or mishandled.

Khan explained that excessive access privileges often create a “trickle effect” across operations, leading to unintentional errors such as sending PHI to incorrect recipients, storing it in unsecured locations, or using it inappropriately for nonessential functions. These mistakes are not always malicious but are frequently the result of poor oversight, unclear data ownership, and insufficient process documentation.

To address these issues proactively, Khan recommended that healthcare and life sciences organizations map their data flows in detail—identifying how sensitive information moves within and beyond their systems. This process should include documenting the to’s, from’s, and how’s of data transfers to reveal vulnerabilities or inefficiencies in how PHI is handled.

Once these flows are understood, organizations can establish comprehensive asset and data inventories, helping security teams monitor what information exists, who can access it, and how it’s used. With these insights, leaders can implement targeted access controls, correct overly permissive roles, and reinforce policies for data storage and sharing.

Ultimately, Khan emphasized that protecting PHI requires more than compliance checkboxes—it demands a continuous, structured approach to data visibility and accountability. By aligning access control and data management with operational needs, organizations can meaningfully reduce risk while maintaining compliance with evolving HIPAA standards.

He also dives into the threat that third-party noncompliance poses to healthcare data security; best practices to close the perception gap of leaders feeling confident in vendor compliance despite limited oversight; and much more.

A transcript of his conversation with PC can be found below.

PC: How can healthcare organizations keep pace with evolving HIPAA regulations while managing resource constraints?

Khan: There's a lot of things that come to mind, but I'm going to talk to two. So the first is really prioritizing activities based on risk. You hear me talk a lot about risk in this conversation, but it really is focusing on that as the first primary area, where what's the worst thing that could happen to your organization and your processes. activities, and really the integrity that you have and how you uphold it. Focus on those first areas where non-compliance would have a greatest impact on patient data, and would that maybe impact your legal exposure as well? Use the crown jewels, like sensitive data and systems, to inform yourself and really target what your compliance scope should be, and then layering in things that maybe should just be company-wide based on what they are and what they're trying to accomplish.

And then two, leverage a trust management platform like Vanta that provides you the guidance you need to stay on top of regulations like HIPAA, including what future changes to them may include. Platforms like Vanta, we connect with your systems to continuously monitor a lot of technical safeguards, and then provide guidance to really implement and manage others that may be more organizational or administrative in nature.

Just implementing a system like that, it increases your visibility to potential compliance gaps before they come issues, so that you're being a bit more proactive with those things and mitigating potential violations in the future.